Wednesday, January 10, 2018

Test And Recover Your Passwords By Cracking Them With Hashcat

Introduction

Hashcat
is a robust password cracking tool that can help you recover lost
passwords, audit password security, benchmark, or just figure out what
data is stored in a hash.

There are a number of great password
cracking utilities out there, but Hashcat is known for being efficient,
powerful, and full featured. Hashcat makes use of GPUs to accelerate
hash cracking. GPUs are much better and handling cryptographic work than
CPUs are, and they can be utilized in much greater numbers than CPUs.
Hashcat also supports a very wide range of popular hashes, to ensure
that it can handle deciphering nearly any password.

Please note that misuse of this program can be illegal.
Only test on systems that you own or have written permission to test
on. Don't share or post hashes or results publicly. Hashcat should be
used for password recovery and professional security audits.

Getting Some Hashes

If
you're going to test out Hashcat's hash cracking capabilities, you're
going to need some hashes to test with. Don't do something crazy and
start digging up encrypted user passwords on your computer or server.
You can create some dummy ones for just this purpose.

You can
use OpenSSL to create a series of password hashes that you would like to
test. You don't have to go totally nuts, but you should have a few to
really see what Hashcat can do. cd into a folder where you
would like to do your testing. Then, use the command below to echo
possible passwords into OpenSSL and output them into a file. The sed portion is just to strip away some garbage output and just get the hashes.

Just run it a few times with different passwords, so you have a few in the file.

Getting A Wordlist

For
this test, you're going to need a wordlist of passwords to test
against. There are tons of these online, and you can find them all over.
You can also use a utility like Crunch, or just make one by typing a bunch of words into a text document.

Hashcat will take some time. If you have a slow system, it will take a
lot of time. Just be mindful of that. If it's taking too long, reduce
the number of hashes in your list.

In the end, Hashcat should
display each of your hashes along with its value. It might not get all
of them, depending on which words you used.

Options

As
you have seen, Hashcat relies heavily on different flags and options to
work properly. Taking it all in at once can be daunting, so this next
section will break it all down.

Hash Types

The first flag that you see there is the -m
flag. In the case of the example, it's set to 1700. This is a value in
Hashcat that corresponds to SHA-512. To see the full list, run Hashcat's
help command, $ hashcat --help. There are a lot there, so you can see why Hashcat has such a wide range of uses.

Attack Modes

Hashcat
is capable of several different attack modes. Each of these modes tests
the hashes against your wordlist differently. Attack modes are
specified with the -a flag, and take values corresponding
to a list available through the help command. The example used a very
common option, the combination attack. Combination attacks attempt to
re-arrange words and add common numbers in places users typically would.
For basic usage, this is generally the best option.

Rules

There is also a rules file specified with the -r command. The rules files are located at /usr/share/hashcat/rules,
and they provide context for how Hashcat could conduct its attacks. You
must specify a rules file for many of the attack modes, including the
one used in the example.

Output

Though it wasn't used in the example, you can specify an output file for Hashcat. Just add the -o
flag followed by the desired location of your output file. Hashcat will
save the results of its cracking session as they appear in the terminal
in the file.

Closing Thoughts

Hashcat
is an insanely powerful tool, and it scales with the tasks that it is
assigned and the hardware that it is running on. Hashcat is designed to
handle large scale tasks and work through them in the most efficient way
possible. This isn't some hobby tool. It is absolutely professional
grade.

If you're really interested in utilizing Hashcat's full
power, it's definitely worth exploring the GPU options available to
people with powerful graphics cards.

Of course, remember to use Hashcat responsibly, and keep your password cracking legal.

Support Us

Bitcoin (BTC) Address:1PyYJEVtxkokkYtLkRw9BA7Fr4xEAXJn3U

Litecoin (LTC) Address:LXvDNUcdKuh3Svge358rNanXfXMKcPkxCo

Thank You

Write For Us

LinuxConfig is looking for a technical writer(s) geared towards
GNU/Linux and FLOSS technologies. Your articles will feature various
GNU/Linux configuration tutorials and FLOSS technologies used in
combination with GNU/Linux operating system.

When writing your articles you will be expected to be able to keep up
with a technological advancement regarding the above mentioned technical
area of expertise. You will work independently and be able to produce
at minimum 2 technical articles a month.